fix(keyrack): add --owner flag for per-owner vault isolation

.behavior/v2026_02_25.keyrack-init-owner/.bind/vlad.init-owner.flag

@@ -0,0 +1,2 @@
+branch: vlad/init-owner
+bound_by: init.behavior skill

.behavior/v2026_02_25.keyrack-init-owner/.ref.[feedback].v1.[given].by_human.md

@@ -0,0 +1,27 @@
+emit your response to the feedback into
+- .behavior/v2026_02_25.keyrack-init-owner/$BEHAVIOR_REF_NAME.[feedback].v$FEEDBACK_VERSION.[taken].by_robot.md
+
+1. emit your response checklist
+2. exec your response plan
+3. emit your response checkoffs into the checklist
+
+---
+
+first, bootup your mechanics briefs again
+
+npx rhachet roles boot --repo ehmpathy --role mechanic
+
+---
+---
+---
+
+
+# blocker.1
+
+---
+
+# nitpick.2
+
+---
+
+# blocker.3

.behavior/v2026_02_25.keyrack-init-owner/.route/.bind.vlad.init-owner.flag

@@ -0,0 +1,2 @@
+branch: vlad/init-owner
+bound_by: route.bind skill

.behavior/v2026_02_25.keyrack-init-owner/.route/.drive.blocker.events.jsonl

@@ -0,0 +1,8 @@
+{"stone":"1.vision","count":1}
+{"stone":"1.vision","count":2}
+{"stone":"1.vision","count":3}
+{"stone":"1.vision","count":4}
+{"stone":"2.1.criteria.blackbox","count":1}
+{"stone":"2.1.criteria.blackbox","count":2}
+{"stone":"2.1.criteria.blackbox","count":3}
+{"stone":"2.1.criteria.blackbox","count":4}

.behavior/v2026_02_25.keyrack-init-owner/.route/1.vision.guard.judge.i1p1.11f7ac160fb11338a876f99f66a9cdcb47e7e59ba7574eb123b1249005b0643d.7e2d8e8c0917d7098a5f2927f9376740a11edd4d3a683ac88da58fa879922cd1.j1.md

@@ -0,0 +1,5 @@
+
+🪨 run solid skill repo=bhrain/role=driver/skill=route.stone.judge
+
+passed: true
+reason: human approval found

.behavior/v2026_02_25.keyrack-init-owner/.route/2.1.criteria.blackbox.blockedOn.json

@@ -0,0 +1,5 @@
+{
+  "stone": "2.1.criteria.blackbox",
+  "blockedOn": "self-review",
+  "reason": "self-review required: all-real-junior"
+}

.behavior/v2026_02_25.keyrack-init-owner/.route/2.1.criteria.blackbox.guard.promise.all-real-junior.33ec8e39f2f99c5907c9f97bf3ae2d4f9fb3e2f76614bf5935dc29619c180940.md

@@ -0,0 +1,8 @@
+# promise: all-real-junior
+
+- stone: 2.1.criteria.blackbox
+- hash: 33ec8e39f2f99c5907c9f97bf3ae2d4f9fb3e2f76614bf5935dc29619c180940
+
+---
+
+i promise i have completed the self-review for "all-real-junior".

.behavior/v2026_02_25.keyrack-init-owner/.route/3.3.blueprint.v1.guard.judge.i1p1.988497cfc9f681b33770a0af19fd498c93da0a909ab3c42138ed70e074734f59.0f03301519fe96edd8982cd362aadaf49a051089f4d069e95b595c3707d6b59a.j1.md

@@ -0,0 +1,18 @@
+
+🪨 run solid skill repo=bhrain/role=driver/skill=route.stone.judge
+
+passed: false
+reason: wait for human approval
+
+
+---stderr---
+
+🪨 run solid skill repo=bhrain/role=driver/skill=route.stone.judge
+   └─ ✋ blocked by constraints
+
+
+
+---stderr---
+
+---metadata---
+exit code: 1

.behavior/v2026_02_25.keyrack-init-owner/.route/3.3.blueprint.v1.guard.judge.i1p1.d6e78d31538a62a923aa014a892683b8e584af23501b26dd694fee243d5c1848.4ed3b79fd731f3915594b3ce59984a0570317c5f18081fa99af860a4d90c8c0e.j1.md

@@ -0,0 +1,18 @@
+
+🪨 run solid skill repo=bhrain/role=driver/skill=route.stone.judge
+
+passed: false
+reason: wait for human approval
+
+
+---stderr---
+
+🪨 run solid skill repo=bhrain/role=driver/skill=route.stone.judge
+   └─ ✋ blocked by constraints
+
+
+
+---stderr---
+
+---metadata---
+exit code: 1

.behavior/v2026_02_25.keyrack-init-owner/.route/3.3.blueprint.v1.guard.judge.i1p1.d6e78d31538a62a923aa014a892683b8e584af23501b26dd694fee243d5c1848.895ba6ba70ebc9e61b2d2f24c440dae660564bdc861b134367a7484c5a19aae8.j1.md

@@ -0,0 +1,5 @@
+
+🪨 run solid skill repo=bhrain/role=driver/skill=route.stone.judge
+
+passed: true
+reason: human approval found

.behavior/v2026_02_25.keyrack-init-owner/.route/3.3.blueprint.v1.guard.promise.all-done-junior.988497cfc9f681b33770a0af19fd498c93da0a909ab3c42138ed70e074734f59.md

@@ -0,0 +1,8 @@
+# promise: all-done-junior
+
+- stone: 3.3.blueprint.v1
+- hash: 988497cfc9f681b33770a0af19fd498c93da0a909ab3c42138ed70e074734f59
+
+---
+
+i promise i have completed the self-review for "all-done-junior".

.behavior/v2026_02_25.keyrack-init-owner/.route/3.3.blueprint.v1.guard.promise.all-done-junior.d6e78d31538a62a923aa014a892683b8e584af23501b26dd694fee243d5c1848.md

@@ -0,0 +1,8 @@
+# promise: all-done-junior
+
+- stone: 3.3.blueprint.v1
+- hash: d6e78d31538a62a923aa014a892683b8e584af23501b26dd694fee243d5c1848
+
+---
+
+i promise i have completed the self-review for "all-done-junior".

.behavior/v2026_02_25.keyrack-init-owner/.route/3.3.blueprint.v1.guard.promise.all-done-self.988497cfc9f681b33770a0af19fd498c93da0a909ab3c42138ed70e074734f59.md

@@ -0,0 +1,8 @@
+# promise: all-done-self
+
+- stone: 3.3.blueprint.v1
+- hash: 988497cfc9f681b33770a0af19fd498c93da0a909ab3c42138ed70e074734f59
+
+---
+
+i promise i have completed the self-review for "all-done-self".

.behavior/v2026_02_25.keyrack-init-owner/.route/3.3.blueprint.v1.guard.promise.all-done-self.d6e78d31538a62a923aa014a892683b8e584af23501b26dd694fee243d5c1848.md

@@ -0,0 +1,8 @@
+# promise: all-done-self
+
+- stone: 3.3.blueprint.v1
+- hash: d6e78d31538a62a923aa014a892683b8e584af23501b26dd694fee243d5c1848
+
+---
+
+i promise i have completed the self-review for "all-done-self".

.behavior/v2026_02_25.keyrack-init-owner/.route/3.3.blueprint.v1.guard.promise.all-simple-junior.988497cfc9f681b33770a0af19fd498c93da0a909ab3c42138ed70e074734f59.md

@@ -0,0 +1,8 @@
+# promise: all-simple-junior
+
+- stone: 3.3.blueprint.v1
+- hash: 988497cfc9f681b33770a0af19fd498c93da0a909ab3c42138ed70e074734f59
+
+---
+
+i promise i have completed the self-review for "all-simple-junior".

.behavior/v2026_02_25.keyrack-init-owner/.route/3.3.blueprint.v1.guard.promise.all-simple-junior.d6e78d31538a62a923aa014a892683b8e584af23501b26dd694fee243d5c1848.md

@@ -0,0 +1,8 @@
+# promise: all-simple-junior
+
+- stone: 3.3.blueprint.v1
+- hash: d6e78d31538a62a923aa014a892683b8e584af23501b26dd694fee243d5c1848
+
+---
+
+i promise i have completed the self-review for "all-simple-junior".

.behavior/v2026_02_25.keyrack-init-owner/.route/3.3.blueprint.v1.guard.selfreview.all-done-junior.d6e78d31538a62a923aa014a892683b8e584af23501b26dd694fee243d5c1848.triggered

@@ -0,0 +1,2 @@
+slug: all-done-junior
+hash: d6e78d31538a62a923aa014a892683b8e584af23501b26dd694fee243d5c1848

.behavior/v2026_02_25.keyrack-init-owner/.route/3.3.blueprint.v1.guard.selfreview.all-done-junior.i1.md

@@ -0,0 +1,183 @@
+# junior review: keyrack init --owner
+
+## reviewer role
+
+review of this implementation as a check of a junior's work. scope:
+- correctness against criteria
+- edge cases missed
+- code quality concerns
+- test coverage gaps
+
+---
+
+## implementation review
+
+### critical fix in unlockKeyrackKeys.ts ✅
+
+the fix passes `owner: input.owner ?? null` to `adapter.get()`. reviewed the diff:
+
+```diff
+- const secret = await adapter.get({ slug, exid: hostConfig.exid });
++ const secret = await adapter.get({
++   slug,
++   exid: hostConfig.exid,
++   owner: input.owner ?? null,
++ });
+```
+
+**assessment:** correct. without this, unlock reads from wrong vault path for custom owners.
+
+### test file keyrack.owner.acceptance.test.ts ✅
+
+reviewed all 7 given blocks:
+- case1: init command (3 scenarios)
+- case2: set command (2 scenarios)
+- case3: get isolation (2 scenarios)
+- case4: vault file structure (1 scenario, 3 assertions)
+- case5: status isolation (2 scenarios)
+- case6: flag consistency (4 scenarios)
+- case7: fallback pattern (2 scenarios)
+
+**assessment:** comprehensive coverage of the criteria.
+
+---
+
+## criteria verification
+
+### usecase.1 = init custom owner
+
+| criterion | tested | evidence |
+|-----------|--------|----------|
+| manifest created at correct path | ✅ | case1 t0 checks `keyrack.host.ehmpath.demo.age` |
+| output shows "freshly minted" | ✅ | case1 t0 asserts `stdout.contains('freshly minted')` |
+| output shows owner name | ✅ | case1 t0 asserts `stdout.contains('ehmpath.demo')` |
+| extant manifest shows "found" | ✅ | case1 t1 asserts `stdout.contains('already active')` |
+| --for alias works | ✅ | case1 t2 uses `--for` flag |
+
+### usecase.2 = set key with custom owner
+
+| criterion | tested | evidence |
+|-----------|--------|----------|
+| key stored in owner-namespaced path | ✅ | case2 t0 checks `owner=ehmpath.demo/keyrack.direct.json` |
+| error when no manifest | ✅ | case2 t1 checks non-zero exit and error message |
+| error includes tip | ✅ | case2 t1 checks for init/manifest keywords |
+
+### usecase.3 = get key with custom owner
+
+| criterion | tested | evidence |
+|-----------|--------|----------|
+| key found for custom owner | ✅ | case3 t1, case7 t1 |
+| key not found from wrong owner | ✅ | case7 t0 |
+| isolation between owners | ✅ | case3 demonstrates different values |
+
+### usecase.4 = vault isolation per owner
+
+| criterion | tested | evidence |
+|-----------|--------|----------|
+| physical file separation | ✅ | case4 verifies both directories |
+| default owner path | ✅ | case4 checks `owner=default` |
+| custom owner path | ✅ | case4 checks `owner=ehmpath.demo` |
+
+### usecase.5 = status with custom owner
+
+| criterion | tested | evidence |
+|-----------|--------|----------|
+| shows keys for correct owner | ✅ | case5 t1 (list --owner) |
+| does not show other owner's keys | ✅ | case5 t0 (default status) |
+
+### usecase.6 = --owner flag consistency
+
+| criterion | tested | evidence |
+|-----------|--------|----------|
+| init | ✅ | case1 |
+| set | ✅ | case2 |
+| get | ✅ | case3, case7 |
+| list | ✅ | case5 t1, case6 t0 |
+| unlock | ✅ | case6 t1, case7 setup |
+| relock | ✅ | case6 t2 |
+| recipient set | ✅ | case6 t3 |
+
+### usecase.7 = fallback pattern
+
+| criterion | tested | evidence |
+|-----------|--------|----------|
+| default owner returns not granted | ✅ | case7 t0 |
+| demo owner returns granted | ✅ | case7 t1 |
+| value matches demo owner | ✅ | case7 t1 second assertion |
+
+---
+
+## code verification
+
+### verified: unlockKeyrackKeys.ts line 152-155
+```typescript
+const secret = await adapter.get({
+  slug,
+  exid: hostConfig.exid,
+  owner: input.owner ?? null,  // ✅ owner parameter added
+});
+```
+
+### verified: unlockKeyrackKeys.ts line 35
+```typescript
+const socketPath = getKeyrackDaemonSocketPath({ owner: input.owner ?? null });  // ✅ per-owner daemon
+```
+
+### verified: getKeyrackKeyGrant.ts line 106-109
+```typescript
+const daemonResult = await daemonAccessGet({
+  slugs: [slug],
+  owner: context.owner,  // ✅ owner flows through context
+});
+```
+
+### verified: writeDirectStoreEntry.ts line 17-18
+```typescript
+const ownerDir = `owner=${input.owner ?? 'default'}`;
+const path = join(home, '.rhachet', 'keyrack', 'vault', 'os.direct', ownerDir, 'keyrack.direct.json');  // ✅ test helper supports owner
+```
+
+---
+
+## potential concerns checked
+
+### concern 1: race conditions in tests?
+**check:** tests use `useBeforeAll` which runs once per suite. setup order is deterministic.
+**verdict:** no issue
+
+### concern 2: test cleanup?
+**check:** tests use temp repos via `genTestTempRepo`. no shared state between given blocks.
+**verdict:** no issue
+
+### concern 3: daemon state leakage?
+**check:** `beforeAll` kills daemons for both owners before tests run.
+**verdict:** addressed
+
+### concern 4: case7 uses sudo env - is that correct?
+**check:** yes. sudo keys unlock directly from hostManifest without repoManifest. the test comment explains this.
+**verdict:** correct design decision
+
+### concern 5: case7 adds unlock step - required?
+**check:** yes. `keyrack get` reads from daemon only. keys must be unlocked first.
+**verdict:** matches design
+
+### concern 6: owner flows through entire codepath?
+**check:** verified via grep:
+- unlockKeyrackKeys.ts → adapter.get({ owner })
+- unlockKeyrackKeys.ts → getKeyrackDaemonSocketPath({ owner })
+- getKeyrackKeyGrant.ts → daemonAccessGet({ owner: context.owner })
+**verdict:** owner flows correctly through all paths
+
+---
+
+## gaps found
+
+none. the implementation covers all criteria.
+
+---
+
+## conclusion
+
+the junior's work is complete and correct. all criteria are tested. the critical fix in `unlockKeyrackKeys.ts` addresses the root cause. the test coverage is comprehensive.
+
+**recommendation:** approve and mark stone as passed.

.behavior/v2026_02_25.keyrack-init-owner/.route/3.3.blueprint.v1.guard.selfreview.all-done-self.995a0b4f2ab86e0d5558de70db809ab41abf23927103d12bcfb03541aae5f49a.triggered

@@ -0,0 +1,2 @@
+slug: all-done-self
+hash: 995a0b4f2ab86e0d5558de70db809ab41abf23927103d12bcfb03541aae5f49a

.behavior/v2026_02_25.keyrack-init-owner/.route/3.3.blueprint.v1.guard.selfreview.all-done-self.d6e78d31538a62a923aa014a892683b8e584af23501b26dd694fee243d5c1848.triggered

@@ -0,0 +1,2 @@
+slug: all-done-self
+hash: d6e78d31538a62a923aa014a892683b8e584af23501b26dd694fee243d5c1848